feat: native iOS passkey with PRF and cross-platform bridge

0xnullifier · 0xnullifier · commit ee8a3c07439b · 2026-04-10T21:08:21.000+05:30
diff --git a/ios/App/App.xcodeproj/project.pbxproj b/ios/App/App.xcodeproj/project.pbxproj
@@ -18,6 +18,7 @@
 		83CCE39C02FD0BF8DD39551F /* AppViewController.swift in Sources */ = {isa = PBXBuildFile; fileRef = 1A6B2865F76F213517CFCCD1 /* AppViewController.swift */; };
 		B54E83DC5BCCDB512256423A /* LocalBiometricPlugin.swift in Sources */ = {isa = PBXBuildFile; fileRef = 21A34DAD709C71D553F88951 /* LocalBiometricPlugin.swift */; };
 		C7D4E92A3F8B1C5D00A2B9E1 /* BarcodeScannerPlugin.swift in Sources */ = {isa = PBXBuildFile; fileRef = C7D4E92B3F8B1C5D00A2B9E2 /* BarcodeScannerPlugin.swift */; };
+		D1A2B3C4E5F607890A1B2C3D /* PasskeyPlugin.swift in Sources */ = {isa = PBXBuildFile; fileRef = D1A2B3C4E5F607890A1B2C3E /* PasskeyPlugin.swift */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXFileReference section */
@@ -35,6 +36,7 @@
 		873F0344C8952CB5585102E0 /* App.entitlements */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.plist.entitlements; path = App.entitlements; sourceTree = "<group>"; };
 		958DCC722DB07C7200EA8C5F /* debug.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = debug.xcconfig; path = ../debug.xcconfig; sourceTree = SOURCE_ROOT; };
 		C7D4E92B3F8B1C5D00A2B9E2 /* BarcodeScannerPlugin.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = BarcodeScannerPlugin.swift; sourceTree = "<group>"; };
+		D1A2B3C4E5F607890A1B2C3E /* PasskeyPlugin.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = PasskeyPlugin.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -79,6 +81,7 @@
 				50B271D01FEDC1A000F3C39B /* public */,
 				21A34DAD709C71D553F88951 /* LocalBiometricPlugin.swift */,
 				C7D4E92B3F8B1C5D00A2B9E2 /* BarcodeScannerPlugin.swift */,
+				D1A2B3C4E5F607890A1B2C3E /* PasskeyPlugin.swift */,
 				1A6B2865F76F213517CFCCD1 /* AppViewController.swift */,
 				873F0344C8952CB5585102E0 /* App.entitlements */,
 			);
@@ -170,6 +173,7 @@
 				B54E83DC5BCCDB512256423A /* LocalBiometricPlugin.swift in Sources */,
 				C7D4E92A3F8B1C5D00A2B9E1 /* BarcodeScannerPlugin.swift in Sources */,
 				83CCE39C02FD0BF8DD39551F /* AppViewController.swift in Sources */,
+				D1A2B3C4E5F607890A1B2C3D /* PasskeyPlugin.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
diff --git a/ios/App/App/App.entitlements b/ios/App/App/App.entitlements
@@ -6,5 +6,9 @@
 	<array>
 		<string>$(AppIdentifierPrefix)com.miden.wallet</string>
 	</array>
+	<key>com.apple.developer.associated-domains</key>
+	<array>
+		<string>webcredentials:api.midenbrowserwallet.com</string>
+	</array>
 </dict>
 </plist>
diff --git a/ios/App/App/AppViewController.swift b/ios/App/App/AppViewController.swift
@@ -5,5 +5,6 @@ class AppViewController: CAPBridgeViewController {
     override open func capacitorDidLoad() {
         bridge?.registerPluginInstance(LocalBiometricPlugin())
         bridge?.registerPluginInstance(BarcodeScannerPlugin())
+        bridge?.registerPluginInstance(PasskeyPlugin())
     }
 }
diff --git a/ios/App/App/PasskeyPlugin.swift b/ios/App/App/PasskeyPlugin.swift
@@ -0,0 +1,278 @@
+import Foundation
+import Capacitor
+import AuthenticationServices
+import CryptoKit
+import os.log
+
+private let logger = OSLog(subsystem: "com.miden.wallet", category: "Passkey")
+
+/// Native Capacitor plugin for passkey operations using Apple's ASAuthorization API
+/// with PRF (Pseudo-Random Function) extension support.
+///
+/// WKWebView's JavaScript WebAuthn bridge does not pass through the PRF extension,
+/// so we bypass it entirely and call the native API directly.
+///
+/// Requires iOS 18.0+ for PRF support.
+@objc(PasskeyPlugin)
+public class PasskeyPlugin: CAPPlugin, CAPBridgedPlugin, ASAuthorizationControllerDelegate, ASAuthorizationControllerPresentationContextProviding {
+    public let identifier = "PasskeyPlugin"
+    public let jsName = "Passkey"
+    public let pluginMethods: [CAPPluginMethod] = [
+        CAPPluginMethod(name: "isAvailable", returnType: CAPPluginReturnPromise),
+        CAPPluginMethod(name: "register", returnType: CAPPluginReturnPromise),
+        CAPPluginMethod(name: "authenticate", returnType: CAPPluginReturnPromise)
+    ]
+
+    // Strong reference to prevent ASAuthorizationController deallocation mid-flow
+    private var authController: ASAuthorizationController?
+    private var currentCall: CAPPluginCall?
+    private var isRegistration = false
+
+    // MARK: - ASAuthorizationControllerPresentationContextProviding
+
+    public func presentationAnchor(for controller: ASAuthorizationController) -> ASPresentationAnchor {
+        return self.bridge?.viewController?.view.window ?? ASPresentationAnchor()
+    }
+
+    // MARK: - Plugin Methods
+
+    @objc func isAvailable(_ call: CAPPluginCall) {
+        os_log("[Passkey] isAvailable called", log: logger, type: .debug)
+        if #available(iOS 18.0, *) {
+            call.resolve(["available": true])
+        } else {
+            os_log("[Passkey] iOS 18.0+ required for PRF support", log: logger, type: .info)
+            call.resolve(["available": false])
+        }
+    }
+
+    @objc func register(_ call: CAPPluginCall) {
+        os_log("[Passkey] register called", log: logger, type: .debug)
+
+        guard #available(iOS 18.0, *) else {
+            call.reject("Passkey PRF requires iOS 18.0+")
+            return
+        }
+
+        guard let rpId = call.getString("rpId"),
+              let userName = call.getString("userName"),
+              let _ = call.getString("userDisplayName"),
+              let userIdBase64 = call.getString("userId"),
+              let challengeBase64 = call.getString("challenge"),
+              let prfSaltBase64 = call.getString("prfSalt") else {
+            call.reject("Missing required parameters")
+            return
+        }
+
+        guard let userId = Data(base64Encoded: userIdBase64),
+              let challenge = Data(base64Encoded: challengeBase64),
+              let prfSalt = Data(base64Encoded: prfSaltBase64) else {
+            call.reject("Invalid base64 encoding")
+            return
+        }
+
+        self.currentCall = call
+        self.isRegistration = true
+
+        let provider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: rpId)
+        let request = provider.createCredentialRegistrationRequest(
+            challenge: challenge,
+            name: userName,
+            userID: userId
+        )
+
+        // Attach PRF with salt so registration returns the PRF output directly.
+        let saltValues = ASAuthorizationPublicKeyCredentialPRFAssertionInput.InputValues(saltInput1: prfSalt)
+        request.prf = .inputValues(saltValues)
+
+        DispatchQueue.main.async { [weak self] in
+            guard let self = self else { return }
+            let controller = ASAuthorizationController(authorizationRequests: [request])
+            controller.delegate = self
+            controller.presentationContextProvider = self
+            self.authController = controller
+            controller.performRequests()
+        }
+    }
+
+    @objc func authenticate(_ call: CAPPluginCall) {
+        os_log("[Passkey] authenticate called", log: logger, type: .debug)
+
+        guard #available(iOS 18.0, *) else {
+            call.reject("Passkey PRF requires iOS 18.0+")
+            return
+        }
+
+        guard let rpId = call.getString("rpId"),
+              let credentialIdBase64 = call.getString("credentialId"),
+              let challengeBase64 = call.getString("challenge"),
+              let prfSaltBase64 = call.getString("prfSalt") else {
+            call.reject("Missing required parameters")
+            return
+        }
+
+        guard let credentialId = Data(base64Encoded: credentialIdBase64),
+              let challenge = Data(base64Encoded: challengeBase64),
+              let prfSalt = Data(base64Encoded: prfSaltBase64) else {
+            call.reject("Invalid base64 encoding")
+            return
+        }
+
+        self.currentCall = call
+        self.isRegistration = false
+
+        let provider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: rpId)
+        let request = provider.createCredentialAssertionRequest(challenge: challenge)
+
+        request.allowedCredentials = [
+            ASAuthorizationPlatformPublicKeyCredentialDescriptor(credentialID: credentialId)
+        ]
+
+        let saltValues = ASAuthorizationPublicKeyCredentialPRFAssertionInput.InputValues(saltInput1: prfSalt)
+        request.prf = .inputValues(saltValues)
+
+        DispatchQueue.main.async { [weak self] in
+            guard let self = self else { return }
+            let controller = ASAuthorizationController(authorizationRequests: [request])
+            controller.delegate = self
+            controller.presentationContextProvider = self
+            self.authController = controller
+            controller.performRequests()
+        }
+    }
+
+    // MARK: - ASAuthorizationControllerDelegate
+
+    public func authorizationController(
+        controller: ASAuthorizationController,
+        didCompleteWithAuthorization authorization: ASAuthorization
+    ) {
+        os_log("[Passkey] Authorization completed", log: logger, type: .debug)
+
+        guard let call = currentCall else {
+            os_log("[Passkey] No pending call", log: logger, type: .error)
+            return
+        }
+
+        if #available(iOS 18.0, *) {
+            if let registration = authorization.credential as? ASAuthorizationPlatformPublicKeyCredentialRegistration {
+                handleRegistrationResult(registration, call: call)
+            } else if let assertion = authorization.credential as? ASAuthorizationPlatformPublicKeyCredentialAssertion {
+                handleAssertionResult(assertion, call: call)
+            } else {
+                call.reject("Unexpected credential type")
+                cleanup()
+            }
+        } else {
+            call.reject("iOS 18.0+ required")
+            cleanup()
+        }
+    }
+
+    public func authorizationController(
+        controller: ASAuthorizationController,
+        didCompleteWithError error: Error
+    ) {
+        os_log("[Passkey] Authorization error: %{public}@", log: logger, type: .error, error.localizedDescription)
+
+        guard let call = currentCall else { return }
+
+        let nsError = error as NSError
+        if nsError.domain == ASAuthorizationError.errorDomain,
+           let code = ASAuthorizationError.Code(rawValue: nsError.code) {
+            switch code {
+            case .canceled:
+                call.reject("Passkey operation was cancelled", "CANCELLED")
+            case .failed:
+                call.reject("Passkey operation failed", "FAILED")
+            case .invalidResponse:
+                call.reject("Invalid response from authenticator", "INVALID_RESPONSE")
+            case .notHandled:
+                call.reject("Request not handled", "NOT_HANDLED")
+            case .notInteractive:
+                call.reject("Not interactive", "NOT_INTERACTIVE")
+            @unknown default:
+                call.reject("Authorization error: \(error.localizedDescription)")
+            }
+        } else {
+            call.reject("Passkey error: \(error.localizedDescription)")
+        }
+
+        cleanup()
+    }
+
+    // MARK: - Result Handlers
+
+    @available(iOS 18.0, *)
+    private func handleRegistrationResult(
+        _ registration: ASAuthorizationPlatformPublicKeyCredentialRegistration,
+        call: CAPPluginCall
+    ) {
+        let credentialId = registration.credentialID
+        os_log("[Passkey] Registration succeeded, credentialId length: %d", log: logger, type: .debug, credentialId.count)
+
+        guard let prfOutput = registration.prf else {
+            os_log("[Passkey] No PRF output from registration", log: logger, type: .error)
+            call.reject("PRF extension not supported by this authenticator")
+            cleanup()
+            return
+        }
+
+        guard prfOutput.isSupported else {
+            os_log("[Passkey] PRF not supported by authenticator", log: logger, type: .error)
+            call.reject("PRF extension not supported by this authenticator")
+            cleanup()
+            return
+        }
+
+        guard let prfKey = prfOutput.first else {
+            os_log("[Passkey] PRF output has no first key", log: logger, type: .error)
+            call.reject("PRF output not available from registration")
+            cleanup()
+            return
+        }
+
+        let prfData = prfKey.withUnsafeBytes { Data(Array($0)) }
+        os_log("[Passkey] PRF output obtained from registration, length: %d", log: logger, type: .debug, prfData.count)
+
+        call.resolve([
+            "credentialId": credentialId.base64EncodedString(),
+            "prfOutput": prfData.base64EncodedString()
+        ])
+
+        cleanup()
+    }
+
+    @available(iOS 18.0, *)
+    private func handleAssertionResult(
+        _ assertion: ASAuthorizationPlatformPublicKeyCredentialAssertion,
+        call: CAPPluginCall
+    ) {
+        os_log("[Passkey] Assertion completed", log: logger, type: .debug)
+
+        guard let prfResult = assertion.prf else {
+            os_log("[Passkey] No PRF output in assertion result", log: logger, type: .error)
+            call.reject("PRF output not available")
+            cleanup()
+            return
+        }
+
+        let prfData = prfResult.first.withUnsafeBytes { Data(Array($0)) }
+        os_log("[Passkey] PRF output obtained, length: %d", log: logger, type: .debug, prfData.count)
+
+        call.resolve([
+            "credentialId": assertion.credentialID.base64EncodedString(),
+            "prfOutput": prfData.base64EncodedString()
+        ])
+
+        cleanup()
+    }
+
+    // MARK: - Cleanup
+
+    private func cleanup() {
+        currentCall = nil
+        authController = nil
+        isRegistration = false
+    }
+}
diff --git a/src/lib/intercom/mobile-adapter.ts b/src/lib/intercom/mobile-adapter.ts
@@ -1,6 +1,14 @@
 import * as Actions from 'lib/miden/back/actions';
+import {
+  disableAutoBackup,
+  enableAutoBackup,
+  getStatus as getAutoBackupStatus
+} from 'lib/miden/back/auto-backup-manager';
 import { store, toFront } from 'lib/miden/back/store';
+import { GoogleDriveProvider } from 'lib/miden/backup/google-drive-provider';
+import { probeCloudBackup, restoreCloudBackup, RestoreEncryptionArgs } from 'lib/miden/backup/restore-service';
 import { MidenMessageType } from 'lib/miden/types';
+import { b64ToU8 } from 'lib/shared/helpers';
 import { WalletMessageType, WalletRequest, WalletResponse } from 'lib/shared/types';
 
 type SubscriptionCallback = (data: any) => void;
@@ -166,6 +174,44 @@ export class MobileIntercomAdapter {
         }
         break;
 
+      case WalletMessageType.CloudBackupRestoreRequest: {
+        const restoreProvider = new GoogleDriveProvider(req.accessToken);
+        const restoreArgs: RestoreEncryptionArgs =
+          req.encryption.method === 'password'
+            ? { type: 'password', backupPassword: req.encryption.backupPassword }
+            : { type: 'passkey', keyMaterial: b64ToU8(req.encryption.keyMaterial) };
+        const content = await restoreCloudBackup(restoreArgs, restoreProvider);
+        return {
+          type: WalletMessageType.CloudBackupRestoreResponse,
+          walletAccounts: content.walletAccounts,
+          walletSettings: content.walletSettings
+        };
+      }
+
+      case WalletMessageType.CloudBackupProbeRequest: {
+        const probeProvider = new GoogleDriveProvider(req.accessToken);
+        const probe = await probeCloudBackup(probeProvider);
+        return { type: WalletMessageType.CloudBackupProbeResponse, ...probe };
+      }
+
+      case WalletMessageType.CloudBackupRegisterRequest: {
+        await Actions.registerFromCloudBackup(req.password ?? '', req.mnemonic, req.walletAccounts, req.walletSettings);
+        return { type: WalletMessageType.CloudBackupRegisterResponse };
+      }
+
+      case WalletMessageType.AutoBackupSetEnabledRequest: {
+        if (req.enabled && req.encryption && req.accessToken && req.expiresAt) {
+          await enableAutoBackup(req.encryption, req.accessToken, req.expiresAt);
+        } else {
+          await disableAutoBackup();
+        }
+        return { type: WalletMessageType.AutoBackupSetEnabledResponse };
+      }
+
+      case WalletMessageType.AutoBackupStatusRequest: {
+        return { type: WalletMessageType.AutoBackupStatusResponse, ...getAutoBackupStatus() };
+      }
+
       default:
         console.warn('MobileIntercomAdapter: Unknown request type', req?.type);
     }
diff --git a/src/lib/passkey/apple-keychain-provider.ts b/src/lib/passkey/apple-keychain-provider.ts
diff --git a/src/lib/passkey/native-passkey-plugin.ts b/src/lib/passkey/native-passkey-plugin.ts

Original file line number	Diff line number	Diff line change
`@@ -5,5 +5,6 @@ class AppViewController: CAPBridgeViewController {`
`5`	`5`	`override open func capacitorDidLoad() {`
`6`	`6`	`bridge?.registerPluginInstance(LocalBiometricPlugin())`
`7`	`7`	`bridge?.registerPluginInstance(BarcodeScannerPlugin())`
	`8`	`+ bridge?.registerPluginInstance(PasskeyPlugin())`
`8`	`9`	`}`
`9`	`10`	`}`